s/key authentication for Apache on FreeBSD?
Andrew Kenneth Milton
akm at theinternet.com.au
Wed Dec 10 23:33:47 PST 2003
+-------[ Brett Glass ]----------------------
| An excellent reason to use SSL together with S/key.
I'm not sure about the physical setup you have, but, here goes.
Why don't you issue certificates to each user, that have a fixed life span,
say a week (or day or a few hours), and avoid the password thing altogether?
If you can generate pieces of paper to hand out, you can generate a
certificate per user that get assigned / refreshed before they leave.
You could even just revoke the certificate if/when lost, if the assignment
of a new certificate is overly burdensome.
Once the certificate is revoked even having physical possession of the palm
pilot won't give you access. There's no passwords to write down, and there's
no user interactions to sniff/log.
You should be able to use a certificate at a cafe via floppy/cd/USB key (I
guess, I've never been to one), if this is the normal usage pattern, I'd be
making the lifespan of the certs very small.
--
Totally Holistic Enterprises Internet| | Andrew Milton
The Internet (Aust) Pty Ltd | M:+61 416 022 411 |
ACN: 082 081 472 ABN: 83 082 081 472 |akm at theinternet.com.au| Carpe Daemon
More information about the freebsd-security
mailing list